HACKENSACK, N.J. -- A pair of Internet "trolls," accused of hacking into AT&T computer servers last year and stealing the e-mail addresses of about 120,000 Apple iPad users, treated the security breach as a game and bragged about it to enhance their notoriety, authorities said Tuesday.
"We don't tolerate committing crimes for fun and street cred in any area we police," U.S. Attorney Paul J. Fishman, New Jersey's top federal prosecutor, said in announcing the arrests on Tuesday of the two suspects.
Among the prominent victims of the hack were the White House chief of staff at the time, Rahm Emanuel; New York City Mayor Michael Bloomberg; and ABC news anchor Diane Sawyer, authorities said.
In addition, the e-mail accounts of about 16,000 New Jersey iPad users were compromised.
A criminal complaint, unsealed in Newark, N.J., on Tuesday, charged Daniel Spitler, 26, of San Francisco and Andrew Auernheimer, 25, of Fayetteville, Ark., with one count each of conspiracy to access a computer without authorization and fraud. Each count carries a maximum penalty of five years in prison and a $250,000 fine.
If convicted, they also could be ordered to repay AT&T for the cost of the breach.
AT&T's servers were attacked over several days in early June of last year after the hackers discovered a security vulnerability for users of the touch-screen tablet computer who used AT&T's 3G wireless network to connect to the Internet.
Spitler allegedly wrote a script -- "the iPad 3G Account Sluper" -- to exploit the vulnerability and harvest as many unique iPad identification numbers and paired e-mail addresses as possible, authorities said.
The Sluper code fooled AT&T's servers into believing they were communicating with an actual iPad, then launched a "brute force" attack, randomly guessing the identification numbers of users until it got a hit.
"Ultimately, they were able to get 120,000 e-mail addresses that AT&T was keeping confidential," Fishman said.
Spitler and Auernheimer were among eight or so members of Goatse Security, which purports to be an Internet security research group, Fishman said. But he said they "are really just hackers and self-described Internet trolls young men who exist in a world where discovering weaknesses in security measures, and then exploiting them through holes, is a way to score credibility among members of their own group."
"The hallmark of this criminal hacker subculture is malicious one-upmanship," Fishman added. "The more their victims have to scramble to fix the holes and the bigger the humiliation in reputational and actual damage to the corporate victim, the more bragging rights these individuals have in their own community."
"Let me be clear: Computer hacking is not a competitive sport, and security breaches are not a game," he said. Such attacks, he said, can result in significant losses to corporations, and their customers can be made vulnerable to a host of other crimes, privacy violations and unwanted contact.
As the hacking attack was under way, the two men chatted online with others about what they were doing and how they might use the stolen information, Fishman said. Ten days of chat logs, provided by a confidential source to the FBI, show the two "conducted the breach to simultaneously damage AT&T and promote themselves," the complaint said.
Auernheimer even publicized the theft, sending the list of purloined e-mail addresses to a reporter at a popular gossip website called Gawker, along with an e-mail message describing what he and his co-conspirators had done, the complaint said. He also took credit for the breach in several interviews, Fishman said.
AT&T maintained the two men did not contact it about the vulnerability, which legitimate security researchers often do prior to publicly disclosing a weakness. Instead, AT&T learned of the problem from a "business customer" and quickly fixed the problem.
"We take our customers' privacy very seriously, and we cooperate with law enforcement whenever necessary to protect it," AT&T spokesman Mark Siegel said.
(EDITORS: STORY CAN END HERE)
Spitler surrendered to the FBI in Newark on Tuesday morning and appeared later in wrist and ankle shackles for a bail hearing.
U.S. Magistrate Judge Clair C. Cecchi ordered him freed on $50,000 unsecured bond but barred him from any Internet use except during his work as a security guard at a Borders bookstore.
Auernheimer was arrested in Fayetteville, Ark., while appearing in state court on drug charges stemming from a search executed at his home last June as part of the hacking probe. A federal magistrate ordered him detained pending a bail hearing Friday.
(c) 2011, North Jersey Media Group Inc.
Visit The Record Online at http://www.northjersey.com/.
Distributed by McClatchy-Tribune Information Services.